CVE-2025-20292
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute a command injection attack on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by entering crafted input as the argument of an affected CLI command. A successful exploit could allow the attacker to read and write files on the underlying operating system with the privileges of a non-root user account. File system access is limited to the permissions that are granted to that non-root user account.
EPSS 0.15% · 35.6th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Cisco Unified Computing System (Managed) | 4.0(2a), 4.1(1c), 4.0(4a) |
| Cisco | Cisco NX-OS System Software in ACI Mode | 15.2(6h), 16.0(1j), 14.2(7v) |
| Cisco | Cisco NX-OS Software | *, *, * |
Exploit Intelligence
- cisco-sa-nxos-cmdinj-qhNze5Ss (circl)
Timeline
- Oct 10, 2024 CVE ID Reserved
- Aug 27, 2025 Coalition ESS Score
- Aug 27, 2025 CVE Published
- Aug 27, 2025 CVE Updated
- Aug 28, 2025 EPSS Score
- Sep 1, 2025 Coalition ESS Score
- Sep 5, 2025 EPSS Score
- Sep 13, 2025 EPSS Score
- Sep 20, 2025 EPSS Score
- Sep 28, 2025 EPSS Score
- Oct 3, 2025 Coalition ESS Score
- Oct 6, 2025 EPSS Score